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AUTHENTICATION DEVICE USING ANATOMICAL INFORMATION 
AND METHOD THEREOF 



Background of the Invention 
5 Field of the Invention 

The present invention relates to an 
authentication device using anatomical information and 
g§ a method thereof. 

J/-^ 10 Description of the Related Art 

O Recently, a variety of authentication devices 

m using anatomical information, such as finger print 

1^ information, voice print information, iris 

2^" information, face information, etc., have been sold. 

\j 15 Authentication systems using such an authentication 

S^ device on a network have also been widely used. In the 

case of an authentication system on a network, an 
apparatus called an authentication server often 
manages registration data collectively. For example, 
20 in the case of an authentication by a finger print, 
finger print feature information is collected on a 
client side provided with a finger print input device 
and is transferred to an authentication server. A 
server side performs collation based on the finger 
25 print feature information and confirms that the user 
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is authenticated. Then, the server side performs 
processes, such as access permission, etc. 

The assurance of confidentiality in transferring 
anatomical information to an authentication server is 
5 a major problem in improving the security of these 
systems . 

Fig. 1 shows an example of the configuration of 
.^^^ a conventional authentication system using anatomical 

information. 

nj 10 The conventional authentication system using 

f.? anatomical information comprises a terminal device 1 

^: for obtaining the finger print information of a user 

= to be authenticated, encrypting the information and 

\ji transmitting the information to a central device via 

rj^ 15 a network 3 together with time information specifying 

y when the finger print information has been obtained, 

and a central device 2 for deciphering both the 
encrypted finger print information and time 
information received via the network 3 based on 
20 registered finger print information and performing the 
authentication of the received finger print 
information together with the receiving time 
information . 

The finger print information obtaining unit 11 
25 of the terminal device 1 obtains the finger print 
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information of a user to be authenticated by a user 
pressing his/her finger print on a predetermined 
place. An encrypting unit 12 encrypts the obtained 
finger print information under a predetermined 
5 procedure. A clock unit 13 generates first real time 
information. A packet generation/transmitting unit 14 
combines the encrypted finger print information and 
the first real time information into packet data and 
^ transmits the data. A modulation unit 15 modulates the 

ry 10 packet data at a transmission speed corresponding to 

p the network 3 and transmits the packet data to the 

network 3 via a line interface unit 16. The 
= demodulation unit 22 of the central device 2 

%.l demodulates the modulated packet data received from 

15 the network 3 via the line interface unit 21. The 

' '•£ 

demodulated packet data, for example, are assembled 
and decrypted in a packet data receiving/assembly unit 
23 if the data are divided into cells and are 
transmitted as in an ATM (Asynchronous Transfer Mode) 

20 network. A decrypting unit 24 decrypts the encrypted 
finger print information in the assembled packet data. 
A finger print information registering/storage unit 
25 registers the finger print information of a 
plurality of users. A finger print information 

25 decrypting unit 26 reads registration information from 
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the finger print information registering/storage unit 
25, collates the read registration information with 
the received and decrypted finger print information 
and judges whether the received finger print 
5 information matches the registration information. A 
clock unit 27 generates second real time information. 
If the finger print information decrypting unit 26 
«=i judges that the received finger print information 

2f matches the registration information, an 

oj 10 authentication unit 28 compares the first real time 

^3 information included in the received packet data with 

2^ the second real time information, and if the time 

^ difference is not unnaturally large, the 

authentication unit 28 authenticates the received 
15 finger print information, 
y Fig. 2 shows the structure of packet data. 

First, a user to be authenticated presses his/her 
finger on a predetermined position of the finger print 
information obtaining unit 11 of the terminal device 
20 1. The finger print information obtaining unit 11 
generates finger print information based on the finger 
print by a predetermined method and transmits the 
information to the encrypting unit 12. The encrypting 
unit 12 encrypts the received finger print information 
25 under the predetermined procedure and generates finger 
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print information. The packet data 
generating/transmitting unit 14 receives time 
information from the clock unit 13, generates packet 
data 4 composed of the encrypted finger print 
5 information 41 and time information 42 as shown in 
Fig. 2 and transmits the information. As described 
above, according to the conventional authentication 
system using anatomical information, only anatomical 
information (finger print information) is encrypted. 

10 The modulation unit 15 modulates the packet 

information at a transmission speed corresponding to 
the network 3 and transmits the information to the 
network 3 via the line interface 16. In the central 
device, the demodulation unit 22 demodulates the 

15 modulated packet data received from the network 3 via 
the line interface unit 21. 

The packet data receiving/assembly unit 23 
assembles the demodulated packet data (if they are 
divided and transmitted as ATM cells) as packet 

20 information and transmits the information to the 
decrypting unit 24 . The decrypting unit 24 decrypts 
the received packet information under the 
predetermined procedure and obtains the original 
finger print information. 

25 The finger print information decrypting unit 26 



collates the received finger print information with 
a plurality of pieces of finger print information 
registered in the finger print information 
registering/storage unit 25, and if the received 
information and registered information match, the 
finger print information decrypting unit 26 transmits 
the information to the authentication unit 28. The 
authentication unit 28 compares actual time 
information announced by the clock unit 27 with the 
time information 42 included in the received packet 
data, and if it is judged that there is no unnatural 
time difference (total time period obtained by 
totaling the respective process time of the terminal 
device 1 and central device 2 and the transmission 
time of the network 3 is judged to be a natural time), 
the authentication unit 28 judges that the received 
finger print information belongs to the user to be 
authenticated. As a result, access to the place 
related to the authentication, such as a computer 
center, etc., of the user to be authenticated is 
allowed and the user can enter the computer center, 
can obtain financial information, etc. 

As described above, according to even the 
conventional method, finger print information can be 
prevented from being stolen and thereby a third party 
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can be prevented from successfully impersonating a 
legal user to some extent since the finger print 
information of a user to be authenticated is encrypted 
and transmitted by the terminal device 1 and the 
5 information is checked by the central device 2 
together with time information about when the finger 
was printed for reading. 

However, the conventional method has a 
disadvantage in that the encrypted finger print 

10 information 41 and time information 42 of packet data 
4 can be easily separated and thereby a third party 
can successfully impersonate a legal user by 
generating new time information, replacing the old 
time information with the new time information and 

15 transmitting the finger print encryption information 
together with the new time information, which is a 
problem. 

As described above, the conventional 
authentication system using anatomical information has 
20 a problem that a third party cannot be completely 
prevented from successfully impersonating a legal user 
and the security of highly confidential information 
cannot be ensured. 
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Siunmary of the Invention 
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It is an object of the present invention to 
provide both an authentication device and a method 
using anatomical information which can completely 
prevent a third party from successfully impersonating 
a legal user in an authentication system using 
anatomical information . 

An apparatus in the first aspect of the present 
invention is an authentication device using anatomical 
information, which comprises an anatomical information 
obtaining unit for obtaining anatomical information, 
an identification information generating unit for 
generating identification information which can 
specify the anatomical information, an additional 
information generating unit for generating additional 
information which can verify the identification 
information and a collation information generating 
unit for encrypting both the anatomical information 
and additional information and combining the encrypted 
anatomical information, encrypted additional 
information and the identification information into 
collation information . 

An apparatus in the second aspect of the present 
invention is an authentication device using anatomical 
information, which comprises an anatomical information 
collating unit for collating anatomical information 
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with information registered in advance, an 
Identification information Judging unit for judging 
Whether identification information received together 
with the anatomical information meets prescribed 
requirements and an identification information 
verifying means for verifying the identification 
information using an operational value obtained by 
mapping the additional information. 

A method in the first aspect of the present 
xnvention is a collation information generating method 
for authentication using anatomical information, which 
comprises the steps of obtaining anatomical 
information, generating identification information 
Which can specify the anatomical information 
generating additional information which can verify the 
identification information and encrypting the 
anatomical information and additional information and 
combining the encrypted anatomical information 
encrypted additional information and the 
Identification information into collation information. 

A method in the second aspect of the present 
invention is an authentication method using anatomical 
information, which comprises the steps of collating 
anatomical information with information registered in 
advance, judging whether identification information 
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received together with the anatomical information 
meets prescribed requirements and verifying the 
identification information using an operational value 
obtained by mapping the additional information. 
5 According to the present invention, collation 

information to be transmitted comprises anatomical 
information, identification information which can 
specify the anatomical information and additional 
'^=^ information which can be used to judge whether the 

ry 10 identification information is legal. Therefore, a 

third party cannot be easily authenticated even if the 

2^ third party steals the collation information while the 

y = 

® collation information is transmitted via a network or 

if the third party makes a request for an illegal 

n\ 

Ljl 15 authentication. If the third party fails in 



authentication, he/she can obtain only information 
indicating that he/she is not authenticated. 
Therefore, the third party cannot also easily steal 
information required for authentication. 
20 If the collation information is encrypted, the 

security of the confidential information can be 
improved . 
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Brief Descriptions of the Drawings 

Fig. 1 shows an example of the configuration of 
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a conven-tional authent:icat:ion system using anatomical 
information. 

Fig. 2 shows the structure of conventional packet 

data. 

Fig. 3 shows the structure of collation 
information used in the first preferred embodiment of 
the present invention. 

Fig. 4 is a flowchart showing the generation 
procedure of collation information in the first 
preferred embodiment . 

Fig. 5 shows an equipment configuration for 
implementing the first preferred embodiment. 

Fig. 6 is a flowchart showing an authentication 
procedure using collation information generated in the 
procedure shown in Fig. 4. 

Fig. 7 shows the configuration of an apparatus 
for performing the process shown in Fig. 6. 

Fig. 8 shows the structure of collation 
information in the second preferred embodiment of the 
present invention . 

Fig. 9 is a flowchart showing a process procedure 
in the third preferred embodiment of the present 
invention. 

Fig. 10 shows an equipment configuration for 
generating collation information in the third 
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preferred embodiment . 

Fig. 11 is a flowchart showing an example of the 
generation procedure of additional information. 

Fig. 12 is a flowchart showing a collation 
5 procedure in the third preferred embodiment. 

Fig. 13 shows the configuration of the collation 
unit in the third preferred embodiment. 

Fig. 14 is a flowchart showing a collation 
information generating procedure in the fourth 
10 preferred embodiment of the present invention. 

Fig. 15 shows the configuration of a terminal 
device for generating collation information in the 
fourth preferred embodiment. 

Fig . 16 is a flowchart showing a collation 
15 procedure in the fourth preferred embodiment. 

Fig. 17 shows the configuration of a collation 
unit in the fourth preferred embodiment. 

Fig. 18 shows the basic configuration of a 
preferred embodiment where a terminal device obtains 
20 common counter information via a communications 
network . 

Fig. 19 shows a data structure used in the fifth 
preferred embodiment. 

Fig. 20 shows the system configuration of the 
25 fifth preferred embodiment. 
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Fig. 21 is a flowchart showing the process 
procedure of the terminal device 310 shown in Fig. 20. 

Fig. 22 shows the equipment configuration of the 
terminal device 310. 

Fig. 23 is a flowchart showing the process 
procedure of a relay device 320. 

Fig. 24 shows the equipment configuration of the 
relay device 320. 

Fig. 25 is a flowchart showing the operation 
procedure of an authentication device 330 in the fifth 
preferred embodiment . 

Fig. 26 shows the equipment configuration of the 
authentication device 330 in the fifth preferred 
embodiment . 

Fig. 27 shows the hardware configuration needed 
when the preferred embodiments described above are 
implemented by software. 

Description of the Preferred Embodiments 

According to the present invention, in an 
authentication system using anatomical information for 
collecting anatomical information in a form of an 
image and authorizing information using the image, the 
alteration of anatomical information by a third party 
who illegally wants to be authenticated can be 
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prevented by using an authentication device using 
anatomical information which is characterized in 
authorizing information using both anatomical 
information generated based on the collected image and 
5 identification information which can specify the 
anatomical information, and thereby a system which can 
implement high security against impersonation can be 
provided. 

The present invention relates to a technology for 

10 authentication using anatomical information, such as 
finger print information, voice information, etc,, and 
aims to implement high security against a third party 
who illegally wants to be authenticated, using 
information obtained by encrypting the anatomical 

15 information and information which can specify the 
anatomical information . 

Fig. 3 shows the structure of collation 
information used in the first preferred embodiment of 
the present invention. 

20 In Fig. 3, collation information 50 comprises 

identification information 51 and anatomical 
information 52. The anatomical information 52, for 
example, is feature information included in a finger 
print image, etc. The identification information 51 

25 is information which can specify the anatomical 
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information 52. For the identification information 51, 
for example, the description or serial number of 
equipment by which anatomical information is collected 
or information which can specify a transfer route from 
5 the equipment to an authentication server, is used. 
The identification information 51 and anatomical 
information 52 are combined and are both encrypted. 
In this way, the identification information 51 is 
O prevented from being easily separated from the 

m 10 collation information 50. As the identification 

information 51, information that cannot be easily 
y judged to be correctly discovered when a third party 

y1 illegally tries to decipher the identification 

information 51, is used. 
15 Fig. 4 is a flowchart showing the generation 

procedure of collation information in the first 
preferred embodiment . 

First, in step SI, anatomical information is 
obtained. For example, a user who wants to be 
20 authenticated presses his/her finger on a sensor. 

Then, in step S2, identification information is 
generated. As described earlier, it is preferable to 
use information which is specific to the equipment 
used and has no relation to a user input, such as the 
25 serial number of equipment by which the anatomical 





16 



information 



is 



obtained. 



for 



identification 



5 




nj 15 

r1 



20 



25 



information. Then, in step S3, collation information 
is generated by encrypting both the anatomical 
information and identification information. In this 
case, although the anatomical information and 
identification information can be encrypted using the 
same encryption key, it is effective to encrypt the 
anatomical information and identification information 
using different encryption keys. 

Fig. 5 shows the equipment configuration for 
implementing the first preferred embodiment. 

A anatomical information input unit 101 collects 
anatomical information, such as a finger print, etc., 
from a sensor. For example, the anatomical information 
input unit 101 comprises a camera, an image processing 
device and a device for extracting anatomical 
information, such as the feature information of a 
finger print, etc., from a visually processed 
anatomical image. An identification information 
generating unit 102 generates identification 
information. It is preferable to use a variety of 
information described earlier, for the identification 
information. The identification information is 
encrypted together with the anatomical information in 
an encryption information generating unit 111 and the 
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are c„^.„aa .„.o co.la.Xon .n.o..a..o„ .„ a co..a..on 
information generating unit 200. 

^±9. 6 1. a faowohart showing an authentication 
~ using .ollatlon Information generated unaer 
the procedure shown In Fig. 4. 

info «"«^P*-<' anatomical 

information ana laentlflcatlon information are 
-cr.ptea. .hen, m step six the anatomical 
information Is collatea with registration Information 

the Tnf"" " " ""^''^ 

the information match. if boi-h 

• J-t both pieces of the 

m ormatlon ao not match, the flows proceeas to step 

authe t " •'^ 

sip slTrr ^"^""^^^ • " - 

inl ^'^^ t«nsmlttea anatomical 

information ana registration Information match, the 
ow proceeas to step S13 ana the Identification 
information Is collated. . aatahase m which the 
serral numher of equipment aXlowea to he usea etc 
- registered 1„ advance, la used to collate 

Identification information Collati ■ 

^ Collation IS sequentially 

performed by reading a reol,t„*- 

^ ^ ^ registration content from the 

atahase and collating each registration content with 
-e respective received laentlflcatlon Information. 
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Alternatively, it is judged whether a pre-determined 
result can be obtained by performing a pre-determined 
operation for the identification information, etc. In 
step S14 it is judged whether prescribed requirements 
are met. Specifically, in the case of collation by the 
serial numbers of equipment, it is judged that the 
anatomical information has been collected from legal 
equipment. In the case of the calculation, it is 
judged whether the pre-determined result has been 
obtained. If it is judged that the prescribed 
requirements are met, in step SI 5 it is determined to 
authenticate the information and the process is 
terminated. If in step S14 it is judged that- the 
prescribed requirements are not met, the flow proceeds 
to step SI 6 and it is determined not to authenticate 
the information and the process is terminated. 

Fig. 7 shows the configuration of an apparatus 
for performing the process shown in Fig. 6. 

In a decrypting unit 211, the encrypted collation 
information is divided into decrypted anatomical 
information and decrypted identification information. 
In an anatomical information collating unit 221, the 
separated anatomical information is collated with 
information registered in advance in an anatomical 
information storage unit 222, and it is judged whether 
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the ana-tomical informa-tion and registration 
information match. As for the identification 
information, it is judged whether the content 
satisfies a pre-determined tolerance in an 
5 identification information evaluating unit 224. To 
satisfy a pre-determined tolerance means, for example, 
what has been described with reference to step S14. 
In a collation judgment unit 223 it is judged whether 

O 

•dj the result of the collation by anatomical information 

51 10 in the anatomical information collating unit 221 and 

^! the result of the evaluation by identification 

Jj information in the identification information 

01 

3 evaluating unit 224 both meet the requirements. If the 

requirements are met, the collation information is 
l^ 15 authenticated and the target user is allowed to 

p legally use collation information. To be allowed to 

legally use collation information means to be granted 
a right to use a computer, etc. Especially, the 
computer is unlocked. 
20 According to this preferred embodiment, since 

identification information is authenticated in 
addition to anatomical information, security is 
improved. Furthermore, since both anatomical 
information and identification information are 
25 encrypted, it is difficult for a third party to 
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decipher collation information or to replace the 
collation information with new collation information. 
A possibility that time information, which is not 
encrypted, may be replaced like the prior art can also 
be reduced. 

Fig. 8 shows the structure of collation 
information in the second preferred embodiment of the 
present invention . 

In the second preferred embodiment, additional 
information (DD: digest data) 57 is included in 
collation information 55 for verifying identification 
information 56 in addition to the identification 
information 56 by which the collection time of or 
equipment used to collect the anatomical information 
58 shown in Fig. 3 can be specified. In Fig. 8, both 
the additional information 57 and anatomical 
information 58 are encrypted. The additional 
information 57 and identification information 56 have 
the following relationships and the identification 
information 56 can be verified by using the 
identification information 57. 

A = F (DD) 

Where 

A: Identification information 
F: Pre-defined mapping 
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In this case, first, identification information 
A is determined and then DD is obtained using an 
inverted map F"^. Conversely, first, DD can be 
determined and then identification information A can 
be obtained using a map F. 

The additional information 57 and anatomical 
information 58 of the collation information 55 to be 
used for collation are both encrypted in such a way 
that the following equation can be established. 

I = H (B) 

Where 

I : Collation information 

B: Information composed of additional information 
and anatomical information 

If the configuration of this preferred embodiment 
is adopted, impersonation by a third party can be 
detected by verifying identification information A 
even if encrypted collation information I is replaced 
with the information of another user. As a result, 
higher security against illegal authentication than 
that obtained by the conventional method can be 
implemented . 

In this preferred embodiment, collation 
information, the alteration of which can be detected, 
can be generated by generating additional information 
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which can specify identification information in 
addition to the identification information for 
specifying collected anatomical information and using 
the additional information together with the 
anatomical information . 

In this preferred embodiment, the collection time 
can be specified by using the collection time as 
identification information. If the collection time is 
used as identification information, there is a 
possibility that identification information can be 
separated from collation information and can be 
replaced with another piece of information. However, 
since the identification information can be verified 
by using additional information, it can be judged 
whether the identification has been replaced with 
another piece of information. 

In a communications system using a variable- 
length packet, a new piece of identification 
information can also be added every time data pass 
through different equipment in a network. 

Alternatively, order information for specifying 
the order in which anatomical information is collected 
in specific equipment can be used as identification 
information. In this case, if anatomical information 
is not received from specific equipment in the order 
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indicatied by -the order inf orma-tion, it can be judged 
that there is a failure in the transmission line or 
the transmission line is being tapped. 

Information about a route taken between an 
5 obtaining device and an authentication device in which 
anatomical information is collected, can also be used 
as identification information. 

Fig. 9 is a flowchart showing the process 
procedure in the third preferred embodiment of the 

10 present invention. 

First, in step S20, anatomical information is 
collected. In step S21, identification information is 
generated. When the anatomical information is 
collected in step S20, the collection time or 

15 collection date indicating when anatomical information 
is collected, the serial number of equipment by which 
anatomical information is collected, counter 
information, etc., are obtained and used as 
identification information. Then, in step S22, 

20 additional information is generated. As described with 
reference to the second preferred embodiment, the 
additional information is generated using the inverted 
map of a map provided as additional information at the 
time of collation in such a way that the map of the 

25 additional information becomes identification 
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information* Then, in step S23, encryption information 
is generated by encrypting both the additional 
information and anatomical information. In step S24, 
the encryption information and identification 
information are combined into collation information. 

Fig. 10 shows the equipment configuration for 
generating collation information in the third 
preferred embodiment . 

According to an instruction from a control unit, 
which is not shown in Fig. 10, the anatomical 
information input unit 101 collects anatomical 
information, such as finger print information, voice 
print information, iris information, etc. , and 
information to be used to collate is generated by 
feature extraction, etc. This process is the same as 
that performed in the conventional case. In parallel 
to the input process of the anatomical information 
input unit 101, the identification information 
generating unit 102 generates information which can 
specify the collection time, a collection place or 
equipment by which anatomical information is 
collected, such as collection time, the serial number 
of collected information, etc. , according to an 
instruction from a control unit, which is not shown 
in Fig. 10. The additional information generating unit 
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103 generates additional information which can verify 
the identification information. The identification 
information can also be used without additional 
information. An encryption information generating unit 
5 111 encrypts both the feature information from the 
anatomical information input unit 101 and additional 
information from the additional information generating 
unit 103. 

The information encrypted in the encryption 

10 information generating unit 111 is combined into 
collation information together with the identification 
information generated by the identification 
information generating unit 102 in a collation 
information generating unit 200. 

15 Fig. 11 is a flowchart showing an example of the 

generation procedure of additional information. 

Fig. 11 does not limit the additional information 
generating method of this preferred embodiment to this 
method. For example, a general hash method, such as 

20 MD5, SHA, etc., can also be used. 

First, in step S30, a hash value (H) is 
initialized to "0". Then, in step S31, leading data 
is set as a process target. In step S32, it is judged 
whether the process of complete data is completed. If 

25 it is judged that the process of complete data is not 
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completed yet, in step S33 the calculated hash value 
(H) is shifted leftward by eight bits. Then, in step 
S34, data to be processed is added to the hash value 
(H). Then, in step S35, the hash value (H) is divided 
by the complete data size to be processed. Then, in 
step S36, subsequent data is set as a process target 
and the flow returns to step S32. If in step S32 it 
is judged that the process of complete data is 
completed, in step S37 a final hash value (H) is 
calculated, it is judged that the generation of 
additional information is completed and the process 
is terminated. 

Fig. 12 is a flowchart showing the collation 
procedure in the third preferred embodiment. 

In step S40 received collation information is 
divided into encryption information and identification 
information, in step S41 the encrypted information is 
decrypted and divided into anatomical information and 
additional information. In step S42, the anatomical 
information is collated with information registered 
in advance, and in step S43 it is judged whether the 
anatomical information and registration information 
match. If in step S43 it is judged that the anatomical 
information and registration information do not match, 
in step S47 it is determined not to authenticate the 
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anatomical information and the process is terminated. 
If in step S43 it is judged that the anatomical 
information and registration information match, in 
step S44 information for verifying identification 
5 information is generated based on the additional 
information. For example, verification information is 
generated by performing a pre-determined mapping for 
the additional information. If the additional 
43 information is generated by the process shown in Fig. 

pj 10 11, verification information is generated by a process 

^1 that is the reverse of the process shown in Fig. 11. 

In step S45, the generated verification 
3 information is collated with the identification 

vl information separated from the collation information, 

15 and the identification information is verified. If the 
O identification information is verified by the 

verification information, in step S46 the user is 
authenticated to be a legal user. If the 
identification information is not verified, in step 
20 S47 it is determined not to authenticate the collation 
information and the process is terminated. 

In the third preferred embodiment, what is 
finally notified to a user who inputs anatomical 
information is a result indicating whether the user 
25 is authenticated to be a legal user. In order to 
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succeed in impersonation, deciphering both encrypted 
information and a verification information generating 
method based on additional information is required. 
Therefore, only information about whether a user is 
5 authenticated is not sufficient to decipher collation 
information. Accordingly, security can be greatly 
improved compared with the conventional method. 

Fig. 13 shows the configuration of a collation 
unit in the third preferred embodiment. 

10 Collation information is divided into encryption 

information composed of anatomical information and 
additional information, and identification information 
in a collation information dividing unit 201. After 
the encryption information is decrypted in a 

15 decrypting unit 211, in an anatomical information 
collating unit 221, the anatomical information is 
collated with anatomical information stored in advance 
in a anatomical information storage unit 222, and the 
result is sent to a collation judgment unit 222. After 

20 being stored in an additional information storage unit 
213, the additional information is used to verify the 
identification information stored in the 
identification information storage unit 212 in an 
identification information verifying unit 214. The 

25 collation judgment unit 223 is notified of the 
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verification result by the identification information 
verifying unit 214. Only when the respective 
notification by the anatomical information collating 
unit 221 and identification information verifying unit 
214 are both "to be authenticated", the user is 
authenticated to be a legal user as a result. 

Fig. 14 is a flowchart showing a collation 
information generating procedure in the fourth 
preferred embodiment of the present invention. 

In the fourth preferred embodiment, counter 
information built into equipment which is obtained 

at the time of finger print collection, is obtained 
and is used as identification information. Then, 
digest information (additional information) is 
generated based on the counter information obtained 
at the time of finger print collection. After being 
encrypted, both anatomical information obtained by 
extracting a feature from a collected finger print 
image and the digest information are transmitted to 
an authentication server on a network via a 
communications unit together with identification 
information comprised of the collection counter 
information. Then, the authentication result is 
received in the communications unit from the 
authentication server via the network and a series of 
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authentication processes are terminated. 

First, in a collation information generating 
procedure, in step S50, a finger print is collected. 
Then, in step S51, counter information, which is a 
counter value obtained when a finger print image is 
collected, is obtained. In step S52 digest information 
is generated based on the counter information, and in 
step S53 the finger print feature and digest 
information are encrypted. Then, in step S54, 
collation information is generated based on both the 
counter information and encryption data. In step S55 
the collation information is transmitted to an 
authentication server via a network, and in step S56 
the authentication result of the authentication server 
is received via the network. 

Fig. 15 shows the configuration of a terminal 
device for generating collation information in the 
fourth preferred embodiment. 

In a finger print collecting unit 131, a finger 
print image is collected and feature information is 
extracted. According to an instruction from a control 
unit, which is not shown in Fig. 15, the counter 
information of a counter update unit 134, which is 
obtained at the time of finger print collection, is 
recorded in a counter information obtaining unit 133, 
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and verif ica-tion information is generated in a digest 
generation unit 132. Both the generated digest 
information and the feature information extracted by 
the finger print image collecting unit 111 are 
5 encrypted. The collection counter information recorded 
in the counter information obtaining unit 133 is 
combined with encryption information from the 
P=i encryption information generating unit 111 in a 

2; collation information generating unit 212 into 

y = 

ry 10 identification information and is transmitted to an 

n authentication server via both a communications unit 

~l 150 and a network, which is not shown in Fig. 15. The 

collation result of the authentication server is 
"^J received in the communications unit 150. 

■-^j 15 Fig. 16 is a flowchart showing a collation 

procedure in the fourth preferred embodiment. 

In the authentication server, after, in step S60, 
the communications unit receives collation 
information, in step S61 the collation information is 
20 divided into encryption information and identification 
information. In step S62, the encryption information 
is decrypted and divided into anatomical information 
(finger print feature information) and digest 
information for verifying counter information. In step 
25 S63, the finger print feature information is collated 



f 1 
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with information registered in advance. In step S64, 
it is judged whether the feature information and 
registration information match. If the feature 
information and registration information do not match, 
5 in step S70 it is determined not to authenticate the 
anatomical information, and in step S71 this 
determination is transmitted to the network. If in 
step S64 the feature information and registration 
information match, in step S65 counter information 

10 obtained at the time of collection and current counter 
information are compared. If in step S66 the counter 
comparison result is within a prescribed time 
difference, the counter information separated as 
identification information at the time of collection 

15 is verified using the digest information {step S67). 

If in step S68 the digest information and collection 
counter information are compared and it is judged that 
the digest information and counter information do not 
match, the flow proceeds to step S70 and in step S70 

20 it is determined not to authenticate the anatomical 
information and the result is transmitted to the 
network (step S71). If in step S68 it is confirmed 
that the digest information and counter information 
match, in step S69 it is determined to authenticate 

25 the anatomical information and the authentication is 
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transmitted from the communications unit (step S71 ) - 
Fig. 17 shows the configuration of a collation 

unit in the fourth preferred embodiment . 

A counter measurement unit 232 and a collection 

counter information comparing unit 237 are further 

comprised compared with the configuration shown in 

Fig. 13. 

On receipt of collation information, a 
communications unit 250 inputs the collation 
information to a collation information dividing unit 
201. The collation information dividing unit 201 
divides the collation information into encryption 
information and counter information. The encryption 
information is decrypted in a decrypting unit 211 and 
is divided into anatomical information and digest 
information. Then, in an anatomical information 
collating unit 234, the anatomical information is 
collated with registration information stored in an 
anatomical information storage unit 233, and the 
result is transmitted to a collation judgment unit 
238. The digest information is inputted to a digest 
decrypting unit 235, and counter information is 
obtained from the digest information by mapping. 

After being temporarily stored in a collection 
counter information storage unit 231, the collection 



34 

counter information separated by the collation 
information dividing unit 201 is compared with a 
counter value obtained in the digest decrypting unit 
235 in a digest comparison unit 236, and the result 
is inputted to the collation judgment unit 238. In the 
collection counter information comparing unit 237, the 
collection counter information is compared with the 
counter value of the counter measurement unit 232, it 
is Judged whether the difference between the 
collection counter information and counter value is 
within a prescribed range and the collection counter 
information is inputted to the collation judgment unit 
238. 

If the anatomical information matches the 
registration information, the collection counter 
information of the digest information matches the 
counter value of the digest decrypting unit 235 and 
the difference between the collection counter 
information and the counter value of the counter 
measurement unit 232 is less than a specific value, 
the collation judgment unit 238 judges that the 
collation information is verified. 

The preferred embodiment shown in Fig. 15 shows 
a case where a built-in counter is used. In this case, 
there are the following methods for ensuring the 
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matching of counter information between equipment. 
Specifically, the initial value is fixed by converting 
the time difference between time information obtained 
when software to be installed in each piece of 
equipment is produced and the time information of each 
piece of equipment, to the scale of a used counter 
when the counter is installed. Then, the counter of 
each piece of equipment is counted up at prescribed 
time intervals (using a time range allowed in 
authentication as units). In this way, the matching 
of counter values between equipment can be ensured. 

The system can also be configured in such a way 
that a counter is not built into each piece of 
equipment and common counter information can be 
obtained from a device installed on the network via 
a communications line. 

Fig. 18 shows the basic configuration of a 
preferred embodiment in which each terminal device 
obtains common counter information via a 
communications 1 ine . 

One of terminal devices 310-1 and 310-2 is an 
anatomical information collecting device and the other 
is a collation device for collating information using 
anatomical information, such as a finger print, etc. 
A common counter device 100 supplies a counter value 
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which the terminal devices 310-1 and 310-2 share. For 
example, if the terminal 310-1 is assumed to be an 
anatomical information collecting device, the terminal 
device 310-1 collects anatomical information, and when 
generating collation information, it obtains a counter 
value from the common counter device 100 via a network 
A and generates the counter information of the 
collation information. The collation information 
transmitted from the terminal device 310-1 is 
transmitted to the terminal device 310-2 via the 
network A. In the terminal device 310-2, the received 
collation information is processed in the same way as 
in the fourth preferred embodiment and counter 
information is collated. Although in the fourth 
preferred embodiment, a counter value is obtained 
using a built-in counter synchronized with the 
transmitting side and the counter values are compared, 
in the fifth preferred embodiment, a counter value is 
obtained from the common counter device 100 via 
network A and the counter value is compared with a 
counter value included in the collation information. 

Therefore, there is no need to synchronize a 
counter on the transmitting side with a counter on the 
receiving side, unlike a case where a built-in counter 
is used, and thereby equipment configuration can be 
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simplified. 

Fig. 19 shows a data structure used in the fifth 
preferred embodiment . 

The data of the fifth preferred embodiment 
5 comprise information about routes taken from where 
finger print data (anatomical information) are 
collected and to where the finger print data are 

0 authenticated. 

m Specifically, when transmitting collation 

10 information, as shown in (1), a transmitting device 
£? generates both finger print data, which are anatomical 

01 information, and additional information (criterion 

information) aO, which is generated on the basis of 
"the finger print data, and encrypts and transmits both 

N 15 pieces of data as one packet. Then, when this 

collation information passes through a relay device 
which is installed in route 1, the relay device 
attaches both an identifier for specifying route 1 and 
additional information al which is generated by 
20 mapping this identifier (in this case, criterion 
information aO is used) to packet (1) and transmits 
packet data, as shown in (2). Furthermore, when the 
packet ( 2 ) passes through a relay device which is 
installed in route 2, the relay device generates 
25 packet (3) by attaching both an identifier for 
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specifying route 2 and additional information a2 which 
is generated by mapping this identifier, to packet (2) 
and eliminating the additional information al and 
transmits the packet. 
5 In this way, since a relay device which is 

installed in a specific route of a network attaches 
route information to a packet every time collation 
information passes through the relay device, it can 
be judged whether the collation information has taken 

10 a normal route or incorrect route. 

Fig. 20 shows the system configuration of the 
fifth preferred embodiment. 

The system is configured in such a way that one 
or more relay devices 320 are installed between a 

15 terminal device 310 and an authentication device 330. 

The terminal device 310 generates collation 
information based on collected anatomical information 
and transmits the collation information to network A, 
On receipt of the collation information from network 

20 A, a relay device 320 attaches the identifier or 
identification information of a route where the relay 
device 320 is installed, to the collation information, 
further attaches an identifier or additional 
information which is generated based on the 

25 identification information, to the collation 
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information, as described with reference to Fig. 19, 
and transmits the collation information to a network 
B. On receipt of the collation information from 
network B, the authentication device 330 performs 
anatomical information collation and performs 
identification information collation, judges whether 
the identification information is altered by using the 
additional information and judges whether a user who 
wants to be authenticated using the terminal device 
310 should be authenticated. The judgment result is 
transmitted to the terminal device 310 via network B, 
the relay device 320 and network A, in this order. 

Since the respective generation methods of both 
a criterion value and additional information are the 
same as those described with reference to Fig. 11, the 
descriptions are omitted here. However, the methods 
described with reference to Fig. 11 are only examples 
and the generation methods are not limited to the 
methods. A general hash method, such as MD5, SHA, 
etc. , can also be used. A criterion value is aO shown 
in Fig. 19, and indicates additional information 
generated based on anatomical information. 

Fig. 21 is a flowchart showing the process 
procedure of the terminal device 310 shown in Fig. 20. 

First, in step S75 a finger print image is 
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collected, and in step S76 the criterion value of the 
finger print data is calculated. Then, in step S77, 
collation information is generated by encrypting both 
the finger print data and the criterion values of the 
5 finger print data. Then, in step S78, the collation 
information is transmitted to a relay device via a 
network . 

p Although in this example, the description has 

been given using finger print data as anatomical 
-J'i 10 information, the processes described above are also 

D applicable to general anatomical information. 

m Fig, 22 shows the equipment configuration of a 

'Lz. terminal device 310, 

N In the terminal device 310, a finger print image 

n I 

15 collecting unit 131 collects a finger print image and 
extracts finger print information. Then, a criterion 
value generating unit 311 calculates a one-direction 
mapping value, which becomes a criterion value at the 
time of authentication by the authentication device 

20 330, based on the collection finger print information. 

After encrypting both the one-direction mapping value 
and collection finger print information, an encryption 
information generating unit 312 transmits the 
encrypted one-direction mapping value and collection 

25 finger print information to a relay device on a 



41 

network via a communications unit 351. The criterion 
value is generated according to the following equation 
and is encrypted, 

aO = ( Finger print data ) 

Fig. 23 is a flowchart showing the process 
procedure of a relay device 320. 

First, in step S80, the relay device 320 receives 
collation information from a network. Then, in step 
S81, the relay device 320 recognizes the mapping value 
of an immediately preceding relay device in the 
collation information. Then, in step S82, the relay 
device 320 calculates the digest information of the 
relevant relay device. Then, in step S83, the relay 
device 320 calculates a mapping value indicating the 
relevant relay device based on both the mapping value 
of the immediately preceding relay device and the 
digest information of the relevant relay device. In 
step S84, the relay device 320 replaces the mapping 
value of the immediately preceding relay device with 
the mapping value of the relevant relay device. In 
step S85 the relay device 320 attaches the information 
of the relevant relay device to the front of the 
communications data. In step S86, the relay device 320 
transmits the collation information to the network. 

Fig. 24 shows the equipment configuration of the 
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relay device 320, 

In the fifth preferred embodiment, data are 
prevented from being replaced during transmission over 
a network by attaching information which can specify 
a relay device 320, to finger print data when the 
finger print data passes through the relay device 320. 
Additional information is generated according to the 
following equation and is attached to the finger print 
data as a non-encrypted section together with repeater 
identification information, 

al = H^o (D( route 1) ) 

a2 = (D( route 2) ) 



an = H^cn-i) (D( route n)) 

Information indicated by route n is information 
for specifying a relay device 320, and corresponds to 
the IP address information of a network. Furthermore, 
time information about when finger print data reach 
the relay device 320 is obtained and designated as 
information route n together with the IP address 
information. Then, both the information route and one- 
direction mapping value which is obtained using data 
a(n-l) added by an immediately preceding relay device 
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are added as informa-tion route n and inf ormatiion an, 
respectively. 

On receipt of collation information, a 
communications unit 351 inputs the collation 
5 information to a collation information dividing unit 
321. The collation information dividing unit 321 
divides the received collation information into 
encrypted data and non-encrypted data, and inputs the 
encrypted data and non-encrypted data to an encryption 

10 information storage unit 322 and an non-encryption 
information storage unit 323, respectively. The 
encryption information stored in the encryption 
information storage unit 322 is read at an appropriate 
timing and is inputted to a collation information 

15 generating unit 326. After being read from the non- 
encryption information storage unit 323, the non- 
encryption information is inputted to a digest 
information generation unit 325. Equipment 
information, such as an IP address, etc., is also 

20 inputted from an equipment information obtaining unit 
324 for obtaining the IP address of a relay device, 
etc., to the digest information generation unit 325. 
The digest generation unit 325 generates digest 
information based on both the non-encryption 

25 information and equipment information in the procedure 
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described above and inputs the generated digest 
information into the collation information generating 
unit 326. The collation information generating unit 
326 generates collation information based on both the 
5 encryption information and digest information and 
transmits the collation information to a network via 
a communications unit 352, 

Fig. 25 is a flowchart showing the operation 
procedure of an authentication device 330 in the fifth 

10 preferred embodiment. 

First, in step S90, the authentication device 330 
receives collation information from a network. Then, 
in step S91, the authentication device divides 
additional repeater information into collation 

15 information and encryption information. In step S92, 
the encryption information is decrypted and is divided 
into anatomical information and a criterion value. In 
step S93, the authentication device collates finger 
print information with registration information. In 

20 step S94, it is judged whether the finger print 
information and registration information match. If it 
is judged that the finger print information and 
registration information do not match, in step S99 it 
is determined not to authenticate the finger print 

25 information, and in step SlOO the authentication 
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result is transmitted to the network. 

If in step S94 it is judged that the finger print 
information and registration information match, in 
step S95 the authentication device calculates a 
5 criterion value based on the additional repeater 
information. Then, in step S96, the authentication 
device compares the calculated criterion value with 
the decrypted criterion value, and judges whether the 
calculated criterion value and the decrypted criterion 

10 value match. If it is judged that the calculated 
criterion value and the decrypted criterion value do 
not match, in step S99 it is determined not to 
authenticate the finger print information, and the 
authentication result is transmitted to the network. 

15 If in step S97 it is judged that the calculated 
criterion value and the decrypted criterion value 
match, in step S98 it is determined to authenticate 
the finger print information and the authentication 
result is transmitted to the network. 

20 Although in this example the authentication 

device calculates a criterion value based on the 
additional repeater information and compares the 
calculated criterion value with the decrypted 
criterion value, the additional repeater information 

25 can also be calculated based on the decrypted 
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criterion value by an inverted map, and the decrypted 
additional repeater information can also be compared 
with the calculated additional repeater information. 
Fig. 26 shows the equipment configuration of the 
5 authentication device in the fifth preferred 
embodiment . 

In the authentication device 330, after collation 
Cj information is received in a communications unit 352, 

^ a collation information dividing unit 321 divides the 

10 collation information into encryption information and 
O additional repeater information. Then, a decrypting 

0% unit 331 divides the encryption information into 

decrypted anatomical information (such as finger print 
^'■i feature information) and a criterion value. A 

Si 15 anatomical information collating unit 234 collates the 

PI 

anatomical information with the registration 
information of a anatomical information storage unit 
233 which registers the finger print information in 
advance . 

20 A criterion value analyzing unit 332 calculates 

a criterion value based on the additional repeater 
information, and a criterion value comparing unit 333 
compares the calculated criterion value with the 
decrypted criterion value. If it is judged that the 

25 collation result of anatomical information and the 
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collation result of a criterion value both meet all 
the requirements, the authentication result indicating 
that the user should be authenticated is transmitted 
to a network. If the collation, comparison or 
verification result of either anatomical information 
or a criterion value does not meet the requirements, 
the authentication result indicating that the user 
should not be authenticated is transmitted to the 
network . 

Fig. 27 shows the hardware configuration for 
implementing by software the preferred embodiments 
described above. 

If the preferred embodiments of the present 
invention are implemented by software (a program), the 
execution device of the program comprises the 
following devices which are connected to a CPU 
(central processing unit) 401 by a bus 400. A ROM 402 
stores a BIOS, etc. If the CPU is switched on, the CPU 
401 can access the ROM (read only memory) 402, can 
read the BIOS and can control each of the devices. The 
ROM 402 can also store a program for implementing the 
preferred embodiment of the present invention. In this 
case, as soon as the CPU is switched on, the program 
can be executed and can be used as a collation 
information generating unit for anatomical information 
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or a dedicated collation device for collation 
information. 

The program can also be stored in a storage 
device 407, such as a hard disk, etc., can be stored 
in a RAM (random access memory) 403 and can be 
executed by the CPU 401, if required. Alternatively, 
the program can be stored in a portable storage medium 
409(e.g. CD-ROM, DVD, MO, floppy disk, etc.), can be 
read into the RAM 403 by a storage medium reading 
device 408 and can be executed by the CPU 401, if 
required. The program stored in the portable storage 
medium 409 can also be stored in the storage device 
407 and can also be executed by the CPU 401. 

Alternatively, the program can be downloaded from 
an information provider 406 by connecting the CPU to 
a network 405 using a communications interface 404. 
If as described with reference to Fig. 18, etc., both 
an anatomical information collecting device and a 
collation device are connected to the network 405 and 
are used, for example, the information provider 406 
can be regarded as a collation device. In this case, 
the CPU shown in Fig. 27 generates collation 
information, transmits the collation information to 
the information provider 406 and receives the 
authentication result. Alternatively, the roles can 



49 

be exchanged between the device and the information 
provider 406. Furthermore, instead of downloading the 
program via the network 405, the program can also be 
executed in a network environment without downloading 
the program . 

An input/output device usually comprises a 
keyboard, a mouse, a display, etc. However, if the 
device is used as an anatomical information collecting 
device, a sensor for collecting anatomical information 
is further needed. The display displays an 
authentication result, specifically indicates whether 
or not the user should be authenticated. Furthermore, 
if an entrance permit to a computer room in which 
important data is handled is authenticated, the 
input /output device further comprises a mechanism for 
locking/unlocking the computer room, etc. 

According to the authentication system using 
anatomical information of the present invention, the 
alteration of anatomical information by a third party 
can be eliminated and thereby a system for 
implementing high security can be provided. 



